CVE-2024-25620 — Path Traversal in Helm

CWE-22 — Path Traversal CWE-23 — Relative Path Traversal8 documents6 sources

Severity

6.4MEDIUMNVD

EPSS

0.2%

top 62.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Helm Helm.sh Helm V3

Timeline

PublishedFeb 15

Latest updateFeb 29

Description

Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5helm/helm< 3.14.1

▶NVDhelm/helm< 3.14.1

▶Gohelm.sh/helm_v3< 3.14.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Path traversal in helm.sh/helm/v3↗2024-02-29

▶

GHSA

Helm dependency management path traversal↗2024-02-15

▶

OSV

Helm dependency management path traversal↗2024-02-15

▶

OSV

CVE-2024-25620: Helm is a tool for managing Charts↗2024-02-15

▶

CVEList

Dependency management path traversal in helm↗2024-02-14

▶

📋Vendor Advisories

Red Hat

helm: Dependency management path traversal↗2024-02-15

▶

Microsoft

Dependency management path traversal in helm↗2024-02-13

▶